Secure network resource access system

ABSTRACT

A secure network resource access system facilitates network access by network terminals to network resources located behind an enterprise firewall, and comprises a proxy server and a polling server. The proxy server is located logically outside the enterprise firewall for receiving application data from the network terminals. The polling server is located logically behind the enterprise firewall, and is configured to poll the proxy server to initiate transmission of the received application data from the proxy server to the polling server, to receive application data and associated network resource data from the proxy server in response to the poll, and to direct the application data to one of the network resources in accordance with the associated network resource data.

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a continuation of application Ser. No. 12/891,501filed Sep. 27, 2010, which is a continuation of nonprovisionalapplication Ser. No. 09/926,436 filed Jan. 18, 2002, now U.S. Pat. No.7,827,293, issued Nov. 2, 2010, which in turn is a National Entry ofInternational Application No. PCT/CA01/00235 filed Mar. 1, 2001, whichclaims priority to Canadian Application No. 2,299,824 filed Mar. 1,2000. The disclosure of application Ser. No. 12/891,501 is herebyincorporated by reference in its entirety.

FIELD OF THE INVENTION

The present invention relates to a method and system for networkmanagement system. In particular, the present invention relates to amethod and system for providing secure access to network resources.

BACKGROUND OF THE INVENTION

Local area networks are widely used as a mechanism for making availablecomputer resources, such as file servers, scanners, and printers, to amultitude of computer users. It is often desirable with such networks torestrict user access to the computer resources in order to manage datatraffic over the network and to prevent unauthorized use of theresources. Typically, resource access is restricted by defining accesscontrol lists for each network resource. However, as the control listscan only be defined by the network administrator, it is often difficultto manage data traffic at the resource level.

Wide area networks, such as the Internet, have evolved as a mechanismfor providing distributed computer resources without regard to physicalgeography. Recently, the Internet Print Protocol (“IPP”) has emerged asa mechanism to control access to printing resources over the Internet.However, IPP is replete with deficiencies.

First, as IPP-compliant printing devices are relatively rare, Internetprinting is not readily available.

Second, although IPP allows user identification information to betransmitted to a target resource, access to IPP-compliant resources canonly be changed on a per-resource basis. This limitation can beparticularly troublesome if the administrator is required to changepermissions for a large number of resources.

Third, users must have the correct resource driver and know the IPPaddress of the target resource before communicating with the resource.Therefore, if the device type or the IPP address of the target resourcechanges, users must update the resource driver and/or the IPP address ofthe resource. Also, if a user wishes to communicate with a number ofdifferent resources, the user must install and update the resourcedriver and IPP address far each resource as the properties of eachresource changes.

Fourth, access to IPP printers cannot be obtained without the resourceadministrator locating the resource outside the enterprise firewall, orwithout opening an access port through the enterprise firewall. Whereasthe latter solution provides the resource administrator with the limitedability to restrict resource access, the necessity of opening an accessport in the enterprise firewall exposes the enterprise network to thepossibility of security breaches.

Consequently, there remains a need for a network resource accesssolution which allows resource owners to easily and quickly controlresource access, which is not hindered by changes in device type andresource network address, which facilitates simultaneous communicationwith a number of target resources, and which does not expose theenterprise network to a significant possibility of security breaches.

SUMMARY OF THE INVENTION

According to the invention, there is provided a secure network resourceaccess system and a method of secure network resource access whichaddresses at least one deficiency of the prior art network resourceaccess systems.

The secure network resource access system, according to the presentinvention facilitates network access by network terminals to networkresources located behind an enterprise firewall, and comprises a proxyserver and a polling server. The proxy server is located logicallyoutside the enterprise firewall for receiving application data from thenetwork terminals. The polling server is located logically behind theenterprise firewall, and is configured to poll the proxy server toinitiate transmission of the received application data from the proxyserver to the polling server.

The secure network resource access method, according to the presentinvention, facilitates network access by network terminals to networkresources located behind an enterprise firewall, and comprises the stepsof (1) polling a proxy server located logically outside the enterprisefirewall for requests for communication with the network resources; (2)receiving application data and associated network resource data from theproxy server in response to the polling step; and (3) directing theapplication data to one of the network resources in accordance with theassociated network resource data.

BRIEF DESCRIPTION OF THE DRAWINGS

The preferred embodiment of the invention will now be described, by wayof example only, with reference to the drawings, in which:

FIG. 1 is a schematic view of the network resource access system,according to the present invention, showing the network terminals, thenetwork resources, the resource registry, the authorization server, theadministration server, the proxy server, and the polling server;

FIG. 2 is a schematic view one of the network terminals depicted in FIG.1, showing the driver application for use with the present invention;

FIG. 3 is a schematic view of the format of the resource recordscomprising the resource database of the resource registry depicted inFIG. 1, showing the network address field, the resource type field, theuser access level field, the resource information field, the pseudo-namefield, the username/password field, and the driver identification field;and

FIG. 4 is a flow chart depicting the method of operation of the networkresource access system.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

Turning to FIG. 1, a network resource access system, denoted generallyas 100, is shown comprising a network terminal 200, a network resource104, a resource registry 106, an administration server 108, and anauthorization server 110. Typically, the network resource access system100 comprises a plurality of network terminal 200, and a plurality ofnetwork resources 104, however for enhanced clarity of discussion, FIG.1 only shows a single network terminal 200 and a single network resource104. The network resource access system 100 also includes acommunications network 112 facilitating communication between thenetwork terminals 200, the network resources 104, the administrationserver 108, and the authorization server 110. Preferably, thecommunications network 112 comprises a wide area network such as theInternet, however the network 112 may also comprise a local areanetwork. Further, the network 112 need not be a land-based network, butinstead may comprise a wireless network and/or a hybrid of a land-basednetwork and a wireless network for enhanced communications flexibility.

Each network terminal 200 typically comprises a land-basednetwork-enabled personal computer. However, the invention is not limitedfor use with personal computers. For instance. one or more of thenetwork terminals 200 may comprise a wireless communications device,such as a wireless-enabled personal data assistant, or e-mail-enabledwireless telephone if the network 112 is configured to facilitatewireless data communication. In addition, the invention is not limitedto only facilitating transmission of text data, but instead may be usedto transmit image data, audio data or multimedia data, if desired.

As shown in FIG. 2, the network terminal 200 comprises a networkinterface 202, a user interface 204, and a data processing system 206 incommunication with the network interface 202 and the user interface 204.Typically, the network interface 202 comprises an Ethernet networkcircuit card, however the network interface 202 may also comprise an RFantenna for wireless communication over the communications network 112.Preferably, the user interface 204 comprises a data entry device 208(such as keyboard, microphone or writing tablet), and a display device210 (such as a CRT or LCD display).

The data processing system 206 includes a central processing unit (CPU)208, and a non-volatile memory storage device (DISC) 210 (such as amagnetic disc memory or electronic memory) and a read/write memory (RAM)212 both in communication with the CPU 208. The DISC 210 includes datawhich, when loaded into the RAM 212, comprise processor instructions forthe CPU 208 which define memory objects for allowing the networkterminal 200 to communicate with the network resources 104 and theauthorization server 110 over the communications network 112. Thenetwork terminal 200, and the processor instructions for the CPU 208will be discussed in greater detail below.

Typically, each network resource 104 comprises a printing device, and inparticular, an IPP-compliant printer. However, the invention is notlimited for use with networked printers (IPP-compliant or otherwise),but instead can be used to provide access to any of a variety of datacommunication devices, including facsimile machines, image servers andfile servers. Further, the invention is not limited for use withland-based data communications devices, but instead can be used toprovide access to wireless communications devices. For instance, thenetwork resource access system 100 can be configured to facilitate datacommunication with e-mail pagers or e-mail enabled wireless telephones.

It is expected that some of the network resources 104 may be locatedbehind an enterprise firewall. Accordingly, to facilitate communicationbetween network terminals 200 and firewall-protected network resources104, the network resource access system 100 may also include a proxyserver 114 located logically outside the enterprise firewall, and apolling server 116 located logically within the firewall, as shown inFIG. 1. Preferably, the proxy server 114 is located on-site at theenterprise responsible for administering the network resource 104, isprovided with a network address corresponding to the enterprise, andincludes a queue for receiving application data. However, the proxyserver 114 may also be located off-site, and may be integrated with theauthorization server 110 if desired. This latter option is advantageoussince it allows system administrators to provide access to networkresources 104, but without having to incur the expense of the domainname registration and server infrastructure.

In addition to the proxy server 114 and the polling server 116,preferably the enterprise includes an enterprise server 118 (eg. a printserver) to facilitate communication with the network resources 104located behind the firewall. The polling server 116 is in communicationwith the enterprise server 118, and is configured to periodically pollthe proxy server 114 through the firewall to determine whetherapplication data from a network terminal 200 is waiting in the queue ofthe proxy server 114. The proxy server 114 is configured to transmit anyqueued application data to the polling server 116 in response to thepoll signal from the polling server 116. Upon receipt of the queuedapplication data from the proxy server 114, the polling server 116transmits the application to the enterprise server 118 for distributionto the appropriate network resource 104. As will be apparent, thismechanism allows application data to be transmitted to network resources104 located behind a firewall, but without exposing the enterprise tothe significant possibility of security breaches associated withfirewall access ports.

The resource registry 106 comprises a resource database 120, a driverdatabase 122, and a user registration database 124. The resourcedatabase 120 includes resource records 300 identifying parametersassociated with the network resources 104. As shown in FIG. 3, eachresource record 300 comprises a network address field 302, a resourcetype field 304, and a user access level field 306 for the associatednetwork resource 104. The network address field 302 identifies thenetwork address of the network resource 104. As discussed above,typically each network resource 104 comprises an IPP-compliant printer,in which case the network address field 302 identifies comprises thenetwork resource IPP address. However, in the case where the networkresource 104 comprises a non-IPP-compliant device and the communicationsnetwork 112 comprises the Internet, preferably the network resource 104is linked to the communications network 112 via a suitable server, andthe network address field 302 for the network resource 104 identifiesthe Internet Protocol (“IP”) address of the server.

The resource type field 304 identifies the type of data communicationdevice of the network resource 104. For instance, the resource typefield 304 may specify that the network resource 104 is a printer, animage server, a file server, an e-mail pager, or an e-mail enabledwireless telephone. Further, the resource type field 304 may include aresource type sub-field specifying a sub-class of the network resourcetype. For example, the resource type sub-field may specify that thenetwork resource 104 is an IPP-capable printer, or a non-IPP-capableprinter.

The user access level field 306 identifies the type of communicationsaccess which the network terminals 200 are allowed to have in regards tothe associated network resource 104. In the embodiment, as presentlyenvisaged, the user access level field 306 establishes that the networkresource 104 allows one of:

-   -   (a) “public access” in which any network terminal 200 of the        network resource access system 100 can communicate with the        network resource 104;    -   (b) “private access” in which only members (eg. employees) of        the enterprise associated with the network resource 104 can        communicate with the network resource 104; and    -   (c) “authorized access” in which only particular network        terminals 200 can communicate with the network resource 104.

If the user access level field 306 specifies “authorized access” for anetwork resource 104, preferably the user access level field 306includes a sub-field which lists the names of the network terminals 200authorized to access the network resource 104, and a sub-field whichincludes an authorization password which the identified networkterminals 200 must provide in order to access the network resource 104.If the user access level field 306 specifies “private access” for anetwork resource 104, preferably the user access level field 306includes a sub-field which lists the network address of the networkterminals 200 which are deemed to members of the enterprise.

It should be understood, however, that the user access level field 306is not limited to identifying only the foregoing predefined user accesslevels, but may instead identify more than one of the predefined useraccess levels, or other user access levels altogether. For instance, theuser access level field 306 may identify that the associated networkresource 104 allows both private access to all employees of theenterprise running the network resource 104, and authorized access toother pre-identified network terminals 200. Further, the user accesslevel field 306 may also include one or more sub-fields (not shown)which provide additional restrictions/permissions on the type ofcommunications access which the network terminals 200 are allowed tohave in regards to the associated network resource 104. For instance,the user access level sub-fields may limit the hours of operation of thenetwork resource 104, or may place restrictions on the type of accesslimitations on a per-user basis, or per-group basis. Other variations onthe type of access will be readily apparent, and are intended to beencompassed by the scope of the present invention.

Preferably, each resource record 300 includes an information field 308which provides information on the network resource 104, such as datahandling capabilities, resource pricing and geographical co-ordinates.This latter parameter is particularly advantageous for use with mobilenetwork terminals 200, such as a wireless-enabled personal dataassistant or an e-mail-enabled wireless telephone, since it allows thenetwork terminal 200 to identify the nearest one of a plurality ofavailable network resources 104. This aspect of the invention will beexplained in greater detail below.

Each resource record 300 also includes a pseudo-name field 310, ausername/password field 312 and a network driver identifier field 314.The pseudo-name field 310 contains a resource pseudo-name whichidentifies the network resource 104 to the network terminals 200.Preferably, the pseudo-name is a network alias that identifies thephysical location and properties of the network resource 104, but doesnot identify the network address of the resource 104. Further,preferably each pseudo-name uniquely identifies one of the networkresources 104, however a group of the network resources 104 may bedefined with a common pseudo-name to allow communication with a group ofnetwork resources 104. This latter feature is particularly advantageoussince it allows the administrator of an enterprise associated with thegroup of network resources to dynamically allocate each network resource104 of the group as the demands for the network resources 104 ormaintenance schedules require.

In addition, preferably the resource record 300 includes a plurality ofthe pseudo-name fields 310 to allow the administrator of the associatednetwork resource 104 to update the name assigned to the network resource104, while also retaining one or more previous pseudo-names assigned tothe network resource 104. As will be explained, this feature isadvantageous since it allows the administrator to update a resource namewithout the risk that network terminals 200 using a prior pseudo-namewill be unable to locate or communicate with the network resource 104.

The username/password field 312 contains a unique username and passwordcombination which allows the administrator of the associated networkresource 104 to prevent authorized access and alteration to the datacontained in the resource record 300. Preferably, each resource record300 also includes an e-mail address field (not shown) which the networkresource access system 100 uses to provide the administrator of theassociated network resource 104 with a notification e-mail message whena message is successfully transmitted to the network resource 104.

The driver identifier field 314 contains a resource driver identifierwhich is used in conjunction with the driver database 122 to provide thenetwork terminals 200 with the appropriate resource driver forcommunication with the network resource 104. The driver database 122includes resource drivers which allow software applications installed onthe network terminals 200 to communicate with the network resources 104.As will be explained below, in order for a network terminal 200 tocommunicate with a selected network resource 104, the network terminal200 first downloads a driver application data from the administrationserver 108 over the communications network 112. The network terminal 200may also download the appropriate resource driver from the driverdatabase 122 (via the authorization server 110 over the communicationsnetwork 112), and then allow the authorization server 110 to configurethe downloaded resource driver in accordance with the access level field306 of the resource record 300 associated with the selected networkresource 104. Preferably, each resource driver includes a resourcedriver identifier which allows the authorization server 110 to identifythe resource driver which the network terminal 200 has downloaded.

The driver application will now be discussed in association with FIG. 2.As discussed above, the DISC 210 of the network terminal 200 includesdata which, when loaded into the RAM 212 of the network terminal 200,comprise processor instructions for the CPU 208. As shown, thedownloaded driver application data defines in the RAM 212 a memoryobject comprising a driver application 400. The driver application 400includes a generic resource driver 402 and a wrap-around resource driverlayer 404. The generic resource driver 402 allows the network terminal200 to communicate with a variety of different network resources 104,however the generic resource driver 402 typically will not provide thenetwork terminal 200 with access to all the features and capabilities ofany particular network resource 104. If the network terminal 200requires additional features not implemented with the generic resourcedriver 402, the appropriate resource driver may be downloaded from thedriver database 116, as mentioned above.

The wrap-around driver layer 404 includes an application communicationlayer 406, a driver administrator layer 408, and a data transmitterlayer 410. The application communication layer 406 is in communicationwith the resource driver 402 (generic or network resource specific) andthe application software installed on the network terminal 200, and isconfigured to transmit user application data between the applicationsoftware and the resource driver 402. The driver administrator layer 408communicates with the resource registry 106 over the communicationsnetwork 112 to ensure that the driver application 400 is properlyconfigured for communication with the selected network resource 104. Thedata transmitter layer 410 is in communication with the resource driver402 and is configured to transmit the data output from the resourcedriver 402 over the communications network 112 to the selected networkresource 104, via the network interface 202. Although the driverapplication 400 and its constituent component layers are preferablyimplemented as memory objects or a memory module in the RAM 212, it willbe apparent that the driver application 400 may instead be implementedin electronic hardware, if desired.

Returning to FIG. 1, the registration database 124 of the resourceregistry 106 includes user records each uniquely associated with a userof a respective network terminal 200 upon registration with the networkresource access system 100. Each user record identifies the name theregistered user's name, post office address and e-mail address. Inaddition, each user record specifies a unique password which theregistered user must specify in order to update the user's user record,and to obtain access to network resources 104 configured for “authorizedaccess”. The user record may also include additional informationspecifying default options for the network resource access system 100.For instance, the user may specify that the network resource accesssystem 100 should provide the user with an acknowledgement e-mailmessage when a message is successfully transmitted to a selected networkresource 104. The user may also specify an archive period for which thenetwork resource access system 100 should archive the messagetransmitted to the selected network resource 104. This latter option isadvantageous since it allows the user to easily transmit the samemessage to multiple network resources 104 at different times, and toperiodically review transmission dates and times for each archivemessage.

The administration server 108 is in communication with the resourcedatabase 120 and the registration database 124. The administrationserver 108 provides administrators of the network resources 104 withaccess to the records of the resource database 120 to allow theadministrators to update the network address field 302, the resourcetype field 304, the user access level field 306, the resourceinformation field 308, the pseudo-name field 310, the username/passwordfield 312 and/or the driver identifier field 314 of the resource record300 for the associated network resource 104. As will become apparent,this mechanism allows network administrators to change, for example, thenetwork address and/or the restrictions/permissions of the networkresources 104 under their control, or even the network resource 104itself, without having to notify each network terminal 200 of thechange. The administration server 108 also provides controlled access tothe registration database 124 so that only the user of the networkterminal 200 which established the user record can update the userrecord.

Where the username/password field 312 has been completed, theadministration server 108 is configured to block access to the resourcerecord 300 until the administrator provides the administration server108 with the correct username/password key. This feature allows theresource administrator to make adjustments, for example, to pricing andpage limit, in response to demand for the network resources 104, and tomake adjustments to the restrictions/permissions set out in the useraccess level field 306 and the resource information field 308 andthereby thwart unauthorized access to the network resources 104.

The authorization server 110 is in communication with the resourcedatabase 120 and the driver database 122 for providing the networkterminals 200 with the resource drivers 402 appropriate for the selectednetwork resources 104. Preferably, the authorization server 110 is alsoconfigured to configure the driver application 400 for communicationwith the selected network resource 104, by transmitting the networkaddress of the selected network resource 110 to the data transmitterlayer 410 over a communications channel secure from the user of thenetwork terminal 200 so that the network address of the network resource104 is concealed from the user of the network terminal 200. In the casewhere the communications network 112 comprises the Internet, preferablythe secure communications channel is established using the SecureSockets Layer (“SSL”) protocol.

In addition to the network terminal 200, the network resource 104, theresource registry 106, the administration server 108, the authorizationserver 110, and the communications network 112, preferably the networkresource access system 100 also includes a transaction server 126 and anarchive server 128. The transaction server 126 is in communication withthe authorization server 110 for keeping track of each data transferbetween a network terminal 200 and a network resource 104. For eachtransmission, preferably the transaction server 126 maintains atransmission record identifying the network terminal 200 whichoriginated the transmission, the network resource 104 which received thetransmission, and the date, time and byte size of the transmission.

The archive server 128 is configured to retain copies of the datatransmitted, for a specified period. As discussed above, the user of anetwork terminal 200 specifies the requisite archive period (if any) forthe data transmission, upon registration with the network resourceaccess system 100. Preferably, the administration server 108 providescontrolled access to the transaction server 126 and the archive server128 so that only the user of the network terminal 200 which originatedtransmission of the data is allowed access to the transmission recordassociated with the transmission.

The process by which a user of a network terminal 200 can communicatewith a network resource 104 will now described with reference to FIG. 4.The following discussion presupposes that the user of the networkterminal 200 has downloaded the driver application 400 from theadministration server 108 over the communications network 112. At step500, the user of a network terminal 200 decides whether to log in to thenetwork resource access system 100. As discussed above, if the userregisters with the network resource access system 100 and subsequentlylogs in to the network resource access system 100 (by providing theauthorization server 106 with the user's assigned password), the userwill have access to any network resources 104 which have “authorizedaccess” as the user access level and which have identified theregistered user as a user authorized to access the network resource 104.If the user does not register or fails to log in to the network resourceaccess system 100, the user will only have access to network resources104 which have established “public access” as the user access level.

At step 502, the user selects a network resource 104 by querying theadministration server 108 for a list of available network resources 104.Alternately, the user may postpone selection of a network resource 104until initiation of the transmission command. The network user query maybe based upon any desired criteria, including print turn-around time andpage size (where the target network resource 104 is a printer), price,and geography. In addition, the user may provide the administrationserver 108 with the geographical coordinates of the user to determinethe user's nearest network resources. The user may provide itsgeographical coordinates through any suitable mechanism known to thoseskilled in the art, including latitude/longitude co-ordinates, GPS, andwireless triangulation.

If the user requested a list of available network resources 104, theuser is provided with a list of pseudo-names associated with eachnetwork resource 104 satisfying the designated search criteria. Asdiscussed above, if the user logged in to the network resource accesssystem 100, the pseudo-name list will include both “public access”network resources 104 and “authorized access” network resources 104 withwhich the user has been authorized to communicate. Also, if the user ismember of an enterprise having network resources 104 registered with thenetwork resource access system 100, the pseudo-name list will alsoidentify network resources 104 which have been registered by theenterprise for “private access”. Otherwise, the pseudo-name list willonly identify network resources 104 registered for public access. Uponreceipt of the resource list, the user selects a network resource 104from the list.

At step 504, the administration server 108 queries the network user'snetwork terminal 200 for the resource driver identifier of the resourcedriver 402 configured on the network terminal 200, and then compares theretrieved resource driver identifier against the resource driveridentifier specified in the network driver identifier field 314 of theresource record 300 associated with the selected network resource 104 todetermine whether the driver application 400 has been configured withthe appropriate resource driver 402 for communication with the networkresource 104. If the network terminal 200 has not been configured withthe appropriate resource driver 402, the administration server 108prompts the user's network terminal 200 to download the necessaryresource driver 402. As will be apparent, the downloaded resource driver402 becomes part of the driver application 400.

When the user of the network terminal 200 is ready to communicate withthe selected network resource 104, the user of the network terminal 200transmits a transmission request via its application software to thedriver application 400, at step 506. If the user did not select anetwork resource 104 at step 502, the application communication layer406 of the driver application 400 contacts the administration server 108over the communications network 112 and prompts the user to select anetwork resource 104, as described above. Once a network resource 104 isselected, and the appropriate resource driver 402 is installed, theapplication communication layer 406 notifies the driver administratorlayer 408 of the transmission request.

At step 508, the driver administrator layer 408 provides theauthorization server 110 with the transmission request and identifiesthe selected network resource 104, by transmitting to the authorizationserver 110 the pseudo-name assigned to the selected network resource104. If the user of the network terminal 200 has registered and loggedin to the network resource access system 100, the driver administratorlayer 408 also provides the authorization server 110 with the registereduser's name.

The authorization server 110 then queries the resource database 120 withthe received pseudo-name for the resource record 300 associated with thepseudo-name, at step 510. The authorization server 110 then extracts theuser access level from the user access level field 306 of the retrievedresource record 300, and determines whether the network terminal 200 isauthorized to communicate with the selected network resource 104, atstep 512. As will be apparent from the foregoing discussion, if the useraccess level field 306 specifies “public access” for the networkresource 104, the network terminal 200 will be automatically authorizedto communicate with the network resource 104.

However, if the user access level field 306 specifies “private access”for the network resource 104, the authorization server 110 determinesthe network address of the network terminal 200 from the transmissionrequest transmitted by the network terminal 200, and then queries theuser access level sub-field with the terminal's network address todetermine whether the network terminal 200 is authorized to communicatewith the network resource 104. In the case where the communicationsnetwork 112 comprises the Internet, the authorization server 110 candetermine the network terminal's network address from the IP packetsreceived from the network terminal 200. On the other hand, if the useraccess level field 306 specifies “authorized access” for the networkresource 104, the authorization server 110 queries the user access levelsub-field with the user's name to determine whether the network terminal200 is authorized to communicate with the network resource 104.

If the query at step 512 reveals that the network terminal 200 is notauthorized to communicate with the network resource 104, at step 514 theauthorization server 110 provides the network terminal 200 with anotification that the network terminal 200 is not authorized forcommunication with the selected resource 104. However, if the query atstep 512 reveals that the network terminal 200 is authorized tocommunicate with the network resource 104, the authorization server 110queries the network address field 302 of the resource record 300associated with the network resource 104 for the network address of thenetwork resource 104. The authorization server 110 then establishes asecure communications channel with the driver administrator layer 408,and then transmits the network address to the driver administrator layer408 over the secure communications channel, at step 516.

Also, if the user access level field 306 specifies “authorized access”for the network resource 104, and the network terminal 200 is authorizedto communicate with the network resource 104, the authorization server110 queries the user access level sub-field for the authorizationpassword assigned to the network resource 104, and then transmits theauthorization password to the driver administrator layer 408 over thesecure communications channel, together with the network address. In thecase where the communications network 112 comprises the Internet,preferably the authorization server 110 establishes the securecommunications channel using a Secure Sockets Layer (“SSL”) protocol.Since the network address and the authorization password are transmittedover a secure communications channel, this information is concealed fromthe user of the network terminal 200.

Preferably, the authorization server 110 also extracts the resourcedriver identifier from the resource identifier field 314 of the resourcerecord 300, and determines whether the network terminal 200 is stillproperly configured for communication with the network resource 14. Ifthe network terminal 200 no longer has the correct resource driver 402,the authorization server 110 queries the driver database 122 for thecorrect resource driver 402, and prompts the user of the networkterminal 200 to download the correct resource driver 402. This driverconfiguration verification step may be performed concurrently orconsecutively with the network address providing step described in thepreceding paragraph.

In addition, the administration server 108 queries the registrationdatabase 124 to determine whether the user of the network terminal 200registered with the network resource access system 100. If the userregistered with the network resource access system 100 and specifiedthat the archive server 128 should maintain archival copies of datatransmissions, the administration server 108 transmits the networkaddress of the archive server 128 to the driver administrator layer 408.As a result, when the user of the network terminal 200 issues a datatransmission command, the driver application 400 will transmit the userapplication data to the selected network resource 104 and to the archiveserver 128.

At step 518, the application communication layer 406 passes theapplication data received from the application software to the resourcedriver 402 for translation into a format suitable for processing by theselected network resource 104. Meanwhile, the driver administrator layer408 interrogates the network resource 104, using the received networkaddress, to determine whether the network resource 104 still resides atthe specified network address, is operational and is on-line.

If the interrogated network resource 104 resides at the specifiednetwork address, is operational and is on-line. online, the resourcedriver 202 passes the translated application data to the datatransmitter layer 410 of the driver application 400. Preferably, thedata transmitter layer 410 compresses and encrypts the translatedapplication data upon receipt. The data transmitter layer 410 alsoreceives the network address of the network resource 104 from the driveradministrator layer 408, adds the network address data to thecompressed, encrypted data, and then transmits the resulting data overthe communications network 112 to the network resource 104 at thespecified network address, at step 520.

Preferably, the data transmitter layer 410 also transmits details of thetransmission to the transaction server 126, such as the selected networkresource 104 and the byte size of the transmission. Upon receipt of thetransmission details, preferably the administration server 108 queriesthe resource database 120 and the user registration database 124 for thee-mail address of the resource administrator and the e-mail address ofthe user of the network terminal 200, if provided, and then transmits ane-mail message indicating completion of the transmission.

If the user access level field 306 specifies “authorized access” for thenetwork resource 104, the data transmitter layer 410 also receives theauthorization password for the network resource 104 from the driveradministrator layer 408, and transmits the authorization password (aspart of the compressed, encrypted data) to the network resource 104.

If the user access level field 306 specifies “public access” for thenetwork resource 104, preferably the network resource 104 is accessiblethrough a local server which serves to queue, decrypt and decompress theapplication data, and extract the network address data, and thentransmit the decompressed application data to the appropriate networkresource 104. Alternately, the network resource 104 itself may beconfigured for direct communication over the communications network 112,such as an IPP-capable printer, so that the network resource 104 is ableto process the application data directly.

If the user access level field 306 specifies “authorized access” for thenetwork resource 104, preferably the network resource 104 is accessiblethrough a local server which serves to queue, decrypt and decompress theapplication data, and extract the network address data and authorizationpassword, and then transmit the application data to the appropriatenetwork resource 104 if the received authorization password is valid.

If the user access level field 306 specifies “private access” for thenetwork resource 104, typically the network resource 104 will be locatedbehind a firewall. Accordingly, the proxy server 114 associated with thenetwork resource 104 will receive the application data, and transfer theapplication data to the proxy server queue. The polling server 116associated with the network resource 104 will poll the proxy server 114to determine the status of the queue. Upon receipt of a polling signalfrom the polling server 116, the proxy server 114 transmits any queuedapplication data from the proxy server queue, through the firewall, tothe polling server 116. The polling server 116 then extracts the networkaddress from the received application data, and transmits theapplication data to the appropriate server 118 or network resource 104for processing.

As will be apparent from the foregoing discussion, regardless of theuser class defined for a network resource 104, if a resourceadministrator relocates a network resource 104 to another networkaddress, and/or changes the device type and/or restrictions/permissionsassociated with the network resource 104, the resource administratorneed only update the resource record 300 associated with the networkresource 104 to continue communication with the network resource 104.Subsequently, when a user attempts communication with the networkresource 104 using the original pseudo-name, the authorization server110 will provide the administrator layer 408 with the updated networkaddress of the network resource 104, or prompt the user to download theappropriate resource driver 402, assuming that the network terminal 200is still authorized to communicate with the network resource 104.

Further, if the user access level field 306 specifies “authorizedaccess” for the network resource 104 and the resource administratordesires to change the pseudo-name and authorization password associatedwith the network resource 104, the resource administrator need onlyupdate the pseudo-name and authorization password provided on theresource record 300. Subsequently, when a user of a network terminal 200initiates communication with the network resource 104 using the originalpseudo-name, the authorization server 110 scans the resource records 300for occurrences of the original pseudo-name. After locating theappropriate resource record 300, the authorization server 110 providesthe driver administrator layer 408 with the updated pseudo-name andauthorization password of the network resource 104, provided that thenetwork terminal 200 is still authorized to communicate with the networkresource 104. A network terminal 200 which is not authorized tocommunicate with the network resource 104 will not receive the updatedpseudo-name and authorization password from the authorization server 110and, consequently, will not be able to communicate with the networkresource 104, even if the user of the network terminal 200 knew thenetwork address for the network resource 104.

The foregoing description is intended to be illustrative of thepreferred embodiment of the present invention. Those of ordinary skillmay envisage certain additions, deletions and/or modifications to thedescribed embodiment which, although not explicitly described herein,are encompassed by the spirit or scope of the invention, as defined bythe claims appended hereto.

We claim:
 1. A secure network resource access system for facilitatingnetwork access by network terminals to network resources located behindan enterprise firewall, the secure network resource access systemcomprising: a proxy server located logically outside the enterprisefirewall for receiving application data from the network terminals; anda polling server located logically behind the enterprise firewall, thepolling server being configured for polling the proxy server to initiatetransmission of the received application data from the proxy server tothe polling server.
 2. The secure network resource access systemaccording to claim 1, wherein each said network resource includes analias name, and the application data includes the alias name of one ofthe network resources, and the polling server is configured to directthe application data to the one network resource in accordance withalias name.
 3. A method for facilitating secure network access bynetwork terminals to network resources located behind an enterprisefirewall, the method comprising the steps of: polling a proxy serverlocated logically outside the enterprise firewall for requests forcommunication with the network resources; receiving application data andassociated network resource data from the proxy server in response tothe polling step; and directing the application data to one of thenetwork resources in accordance with the associated network resourcedata.
 4. The method according to claim 3, wherein each said networkresource includes an alias name, and the network resource data includesthe alias name of the one network resource.